(A Javascript-enabled browser is required to email me.)

TBTF for 1996-03-10: Three-headed-dog night

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 10 Mar 1996 21:56:35 -0500

Are they listening?

Don't know about you, but I've always wanted to know the things they don't want me to know. Not for political or monetary gain, but just because I'm not supposed to. For instance, wouldn't you just love to know how fine is the detail that U.S. spy satellites can resolve on the ground? (Cold War joke: a sign on the roof of the Pentagon says, in 6-inch-high letters: "If you can read this / you're where we were / 8 years ago.") Wouldn't you love to know if the NSA and/or the CIA is really listening in on U.S. citizens' phone and Internet traffic? (One of my favorite .sig's, originator unknown, reads: "The NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one.") Wouldn't you love to know whether the NSA can break messages encrypted with a 512-bit PGP key?

On 1996-01-28 Harvard Law School hosted a symposium titled "Information, National Policies, and International Infrastructure." Paul Strassmann (National Defense University) and William Marlow (Science Applications International Corporation) gave a talk [1] entitled "Anonymous Remailers as Risk-Free International Infoterrorists." A week later an attendee, an Austrian economist named Viktor Mayer-Schoenberger, wrote a note [2], [3], [4e] apparently to the "help" email address of HotWired; at some point the note was posted anonymously to a number of newsgroups on anonymity and politics. I have not been able to find an email address for the author.

The note makes some alarming claims about what the presenters said in answer to questions at this symposium. I wrote to Strassmann and Marlow about the accuracy of these observations. Strassmann replied today that what the attendee reported was a personal interpretation of what had been said and was out of context. They plan to issue a statement correcting what was reported. I'll post a pointer to it here, assuming the authors grant permission.

Note: URLs [2] and [3] below were obtained from an Alta Vista search [4]. You may have trouble following these links. In particular [2] resides on Alta Vista's Usenet spool and its lifetime there will be at most two weeks. [3] will work only from a Netscape browser; and at the moment the Domain Name Service is disclaiming knowledge of anon.penet.fi. Reissuing the Alta Vista search [4] might turn up more hits later as other Usenet newsgroups' traffic is indexed by the superspider.

Note added 1997-01-18: Metacrawler [4a] found two URLs at which the referenced note is archived: see [4b] and [4c].
Note added 2020-02-11: The above links [4b] and [4c] are dead now (as is Metacrawler [4a]). Following the publication today by the Washington Post of the full sordid story of the CIA's decades-long ownership of and corruption of Crypto AG [4d], I went looking anew for the alt.privacy.anon.server posting alluded to in the above article. Found it at the Google Groups archive of newsgroups [4e]. The claims were (1) that spy agencies of several countries were running anonymous remailers (and thus in a position to hoover up all of their supposedly anonymous traffic); and (2) that the NSA was then (24 years ago) able to decrypt secret messages encrypted with RSA keys of 1000 bits or fewer.

[1] http://www.strassmann.com/pubs/anon-remail.html
[2] http://ww2.altavista.digital.com/cgi-bin/news?msg@1142@alt%2eprivacy%2eanon%2dserver
[3] news:132317Z03031996@anon.penet.fi
[4] http://altavista.digital.com/cgi-bin/query?pg=aq&what=news&fmt=d&q=Strassman+and+Marlow+and+Chaarles&r=&d0=&d1=&text=yes
[4a] http://metacrawler.cs.washington.edu:8080/
[4b] http://www.metatrout.com/~jwehling/NSARemailer.html>
[4c] http://www.consilpdx.com/~jwehling/NSARemailer.html>
[4d] 'The intelligence coup of the century'
[4e] https://is.gd/gZEWiV

Threads Cryptography export policy
See also TBTF for
2000-02-06, 1999-10-05, 08-30, 08-23, 08-16, 07-26, 05-22, 05-08, 04-21, 03-01, 01-26, more...

Bills introduced to ease cryptography export regulations

On 1996-03-05 Senator Patrick Leahy (D-VT) introduced the Encrypted Communications Privacy Act of 1996 in the Senate and held a press conference with Senate and House cosponsors. The Senate [5] and House [6] versions differ somewhat; only the Senate version makes any reference to key-escrow schemes that the administration has been pushing, and consumers and corporations rejecting, for several years. The bills would waive export restrictions on such "generally available" software as PGP and popular Web browsers. They would impose criminal penalties for the use of encryption in the commision of a crime. While most civil liberties and privacy organizations applaud the bills as a good start, all have some issues with it. See the analyses of EPIC [7], CDT [8], and VTW [9]. EPIC [7] in particular catches subtle implications in the Senate bill that would prolong the NSA's unwelcome involvement in commercial encryption. Two noted cryptgraphers, Matt Blaze [10] and Bruce Schneier [11], have written open letters to Sen. Leahy that generally praise the bill but express reservations with the provisions criminalizing some uses of encryption.

[5] http://www.epic.org/crypto/legislation/s1587.html
[6] http://www.vtw.org/archive/960305_235808
[7] http://www.epic.org/crypto/legislation/s1587_analysis.html
[8] http://www.cdt. org/publications/pp_2.9.html
[9] http://www.vtw.org/archive/960305_120857
[10] http://www.vtw.org/archive/960305_124928
[11] http://www.vtw.org/archive/960306_000807

Threads Net telephony
See also TBTF for
1996-04-21, 03-24, 03-10

Hanging up the I-Phone

On 1996-03-04 a group of long-distance carriers petitioned the Federal Communications Commission to stop companies from selling software and hardware products that enable use of the Internet for long-distance voice calls. A handful of companies sell software, mostly in the $50 range, for this purpose; the free software is even more plentiful [12], [13]. At first glance these tools don't look like much of a threat to established long-distance carriers. The quality of Internet phone connections is generally poor and they are subject to the unreliability that characterizes the overloaded Net today. Also, the various software packages aren't compatible; you can only talk to someone who has the same software you do. One estimate puts the current number of users at 20,000 according to a story in the _Boston Globe_ today. The FCC has moved with uncharacteristic speed in scheduling public comment on the question; petitions for rule-making commonly sit for weeks or months without action, but within 2 days the agency had set an April 8 date for comments.

[12] http://rpcp.mit.edu/~asears/main.html
[13] http://www.northcoast.com/savetz/voice-faq.html

The funniest 650K you'll download this month

Dan Bricklin , one of the original authors of Visicalc, these days has a product called "demo-it!" for mocking up conceptual demos of software that hasn't been prototyped yet. He was asked by David Coursey , organizer of the annual Demo conference and editor/publisher of PC Letter, to come up with something amusing for Demo 96 in late January. Bricklin's "ChiaPaint" demo near about brought down the house, reports say, and earned him the honorary title of "Demo God." If you run Windows 3.1 or Windows 95 you simply must download this demo [14]. It contains a Readme file with a script that will enable you to render your own friends and family helpless with laughter. The Readme is also available separately at [15].

Here is a description of Bricklin's star turn from Nando, the official newspaper of Demo 96:

> The most entertaining event of the day was Dan Bricklin's demo of
> ChiaPaint. At first it appeared to be a Java-based variation on Kid-
> Pix, where you could mark up clip art with goofy tools like "fur" or
> "lots 'o hair," but as Bricklin encountered a series of ever more
> ridiculous error messages, most of which demanded that he enter his
> credit card number to extend his license for various Java objects,
> it became clear that it was a satire of the Sun-Oracle vision of net-
> work-centric computing -- a vision that, judging from the audience's
> howls of laughter, most of them don't share. The final punchline was
> that the joke was also a real demo -- of Bricklin's demo-it utility.

[14] http://www.pcletter.com/PC%20Letter%20Online/bricklin.html
[15] http://www.pcletter.com/dbreadme.html

An online who's-who of cryptography researchers

Kevin McCurley , one of the perpetrators of DigiCrime (see [16]), maintains a page [17] of links to the home pages of crypto researchers. The last time I visited 72 were listed. [Note added 1996-12-20: URL updated for moved page; the count is now 90 and includes 3 research groups. -- KD]

[16] http://www.tbtf.com/archive/1995-12-31.html
[17] http://www.swcp.com/~mccurley/cryptographers/cryptographers.html

Full U.S. phone book, residential and business, now online

First there was Four11 [18]; then there was WhoWhere [19]; then a half-dozen others. In the same way that Alta Vista [20] trumped the full-text, full-Web search engines, SwitchBoard [21] has trumped the people-finding Web pages. This site gives you free access to the 100 million personal and business listings in the Database America CD-ROM; and you can write to it too. The site certainly raises disturbing questions of privacy. My phone number and address are visible to the greater Internet, until and unless I visit , register with them, and change my listing. I'm sure they tried to eliminate unlisted (our British cousins would say "ex-directory") numbers from the database, but with upwards of 30% of U.S. customers requesting unlisted status, how many do you suppose slipped through? There's worse. As far as I can see there is nothing to stop me from searching for "Patrick Buchanan," picking on the candidate's listing to say "that's me," giving an anonymous email address, receiving a password there, and then adding insulting and libelous material to Mr. Buchanan's SwitchBoard listing.

From Ryan Conley <nfn00634 at naples dot net>, 1996-03-26: "Switchboard at first seems first-rate, but there is one staggering shortcoming. It has a limit (about 10 letters) to how long a name can be to be included in the database. For instance, the computer believes that there is no one in the whole country with the first name of 'Christopher.' It's too long. Try it and see. I have sent them mail about this."

[18] http://www.four11.com/
[19] http://www.whowhere.com/
[20] http://www.altavista.digital.com/
[21] http://www.switchboard.com/

Security (1): Apple server unbreached in 45-day open challenge

Between 1995-10-15 to 1995-11-31, six Macintosh Internet companies offered a $10,000 prize to anyone who could read one protected line from a particular public Web page; the target was secured only by off-the-shelf Macintosh software (StarNine's WebSTAR server and NetCloak, a CGI application from Maxum Development). The goal was to raise awareness of the Macintosh server as a highly secure Web platform. The results [22] of the challenge were published in TidBITS. Bottom line: no-one collected.

[22] http://www.dartmouth.edu/pages/TidBITS/issues/TidBITS-317.html#s5

Threads Java and JavaScript security
See also TBTF for
1997-09-15, 08-11, 07-21, 07-14, 1996-03-17, 03-10, 02-27, 02-19

Security (2): Followup on JavaScript flaws

Responding to the publicity about security holes in Navigator 2.0 resulting from the JavaScript language implementation, Netscape has promised to fix at least two of the three outstanding problems in a release 2.01 due out this week. On 1996-02-29 Brendan Eich posted a response [24] to the security concerns. (You will need the Netscape browser to retrieve this URL.)

[23] http://www.tbtf.com/archive/1996-02-27.html
[24] snews://secnews.netscape.com/31367495.7AAE@atm.mcom.com

Security (3): Another hole in Java, fixed

On 1996-02-18, Drew Dean posted a note [25] to the Risks forum detailing the findings of a group Princeton researchers. They had discovered a flaw that would allow a Java applet, after separate subversion of the Domain Name System, to make an arbitrary network connection. Sun responded quickly and prepared a patch [26] for the affected platforms, Win 95, Win NT, and several flavors of Unix. Sun's response is at [27].

[25] http://www.cs.princeton.edu/~ddean/java
[26] http://www.netscape.com/comprod/mirror/java-patch-download.html
[27] http://www.netscape.com/newsref/std/java_security.html

Security (4): The real story of Microsoft's Registration Wizard

I found the pointer to this engrossing account [28] (OK, it's engrossing if you are now or have ever been a programmer) on Rich Graves's Hack Microsoft page [29]. Written by Andrew Schulman , it gives the lowdown skinny on the Win95 Registration Wizard, first fingered in TBTF for 1995-05-23 [30]

[28] <ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html>
[29] <http://www.c2.org/hackmsoft/>
[30] <http://www.tbtf.com/archive/1995-05-23.html>

Security (5): Three-headed-dog night

>>From Edupage (1996-03-03):

> Researchers at Purdue University have discovered a flaw in the popular
> Kerberos computer-security system that affects the way Version 4 of the
> software creates the secret keys for encryption. The problem does not
> affect Version 5, unless it is run in a way that emulates Version 4. The
> software is supposed to select its keys randomly from among billions of
> numbers, but the problem occurs in the random-number generator, which is
> selecting from a much smaller pool of perhaps a million or so, making it
> much easier for an intruder to crack the key. "Basically, we can forge
> any key in a matter of seconds," says Purdue professor Eugene Spafford.
> The CERT Coordination Center at Carnegie Mellon University has issued an
> advisory on the problem -- CA-96.03 -- and recommends using "patches" to
> fix the flaw. < http://www.sei.cmu.edu/technology/cert.cc.html >
> (Chronicle of Higher Education 1 Mar 96 A29)


Thanks to those of you who wrote with suggestions and comments about the
style of URL references in TBTF. A good number took the time to say com-
plimentary things about the newsletter -- thanks for those too. There was
a wide wingspan of opinion and in the end I agreed with those of you who
expressed a view that can be characterized as "It's your newsletter, do
whatever you ruddy well want. Just keep on doing it." So be it.


>>TidBITS -- mail listserv@ricevm1.rice.edu without subject and with
> message: subscribe TidBITS Your Name .

>>Edupage -- mail listproc@educom.edu without subject and with
> message: subscribe edupage <your name> .

TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. See the archive
at <http://www.tbtf.com/>. To subscribe send the message
"subscribe" to tbtf-request@world.std.com. Commercial use prohibited. For
non-commercial purposes please forward and post as you see fit.
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.


Copyright © 1994-2022 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.